Skip to main content
banner image
venafi logo

Certificate Management for Code Signing

Certificate Management for Code Signing

December 7, 2020 | Eddie Glenn

Trust is important in today’s digital world. Software clients require proof that the application they are using is legitimate. Securing and managing code signing certificates allows organizations to validate the software author and prove that the code has not been altered or tampered with after it was originally signed.

Code signing is more critical than ever because cybercriminals are leveraging the extremely complex modern software supply chains, introducing malware strains “upwards” which are then propagated through the supply chain “downwards”. A single infected software component can infect thousands of applications.

“Code signing keys and certificates serve as machine identities to authenticate all kinds of code so when they fall into the hands of attackers, they can be used to inflict enormous damage,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “Secure code signing processes enable apps, updates, and open-source software to run safely, but if they’re not protected attackers can turn them into powerful cyber weapons. Code signing certificate misuse was the key reason Stuxnet and ShadowHammer were so successful.”

Developers must take extreme care in protecting private keys associated with code signing certificates to avoid complications. A streamlined, secure code signing process safeguards your business and provides inherent trust to your software consumers.

The importance of code signing certificates

Code signing certificates are important for all businesses. Organizations are depending on apps to reach their customers and deliver their services and products. Trusted code signing certificates protect businesses from security breaches. These certificates are valuable assets to hackers. Compromising an organization’s code signing certificates allows adversaries to create trusted versions of malware that appear to have been created by a legitimate developer.

Operating systems like Windows warn users if the software or drivers they are using are not properly signed and trusted. Finally, code signing needs to support distributed development teams. Developers are usually dispersed in various locations and they are using signing certificates to authenticate their code. However, poor code signing key and certificate management introduce risks that could result in costly breaches.

Code signing certificates are also used to secure and authenticate the firmware and software used in many IoT ecosystems. For example, in the automotive industry, these certificates are used to cryptographically sign the software communications over the CAN-bus. The famous Jeep Hack changed the firmware on the Jeep’s CAN-bus to take over and remotely control the vehicle in motion.

Code signing keys and certificates are crucial security assets, but unfortunately, organizations are not taking the appropriate steps to protect them. According to a recent Venafi survey among 320 security professionals in the U.S., Canada and Europe, although respondents understand the risks of code signing, they are not taking proper steps to protect this type of machine identities. For example, according to the study, only 28 percent of organizations consistently enforce a defined security process for code signing certificates.

“The reality is that every organization is now in the software development business, from banks to retailers to manufacturers,” says Bocek. “If you’re building code, deploying containers, or running in the cloud, you need to get serious about the security of your code signing processes to protect your business.”

Best practices for securely managing code signing certificates and keys

The biggest issue with code signing is the protection of the private signing key associated with the code signing certificate. If the key is compromised, the certificate loses trust and value, jeopardizing the software that you have already signed. This implies that control measures should be in place to protect code signing keys. The NIST whitepaper, “Security Considerations for Code Signing” outlines multiple control measures that should be taken to secure code signing keys.

Organizations should apply the following best practices to protect the code signing certificates.

1. Centrally secure all code signing private keys

Store private code signing keys in a centralized, encrypted, secure location. Developer’s like for them to be convenient and may have private keys stored on their personal computers, build servers, web servers, sticky notes, etc. Private keys should never leave the secure location, for any reason—even when they are used to sign code. Provide storage options for developers based on the type of code signing certificates that they are using. For example, extended validation (EV) certificates must be stored in a hardware security module (HSM). In addition, some compliance regulations may require that the secure location resides within a certain geographic location. Therefore, you may need to offer multiple secure locations.

2. Control access to code signing certificates and keys

Simply storing a private key in secure storage is insufficient to protect it. Organizations need to define the conditions in which that key is authorized to be used and enforce those conditions. For example, you need to define and enforce:

  • Who needs to approve access to the key
  • What types of software can be signed with that key
  • Which computers can be used to sign with that key
  • What code signing tools may be used for signing with that key
3. Define a security policy and enforce it.

While development teams are experts in writing code, they may not have expertise in security. Because of this, the InfoSec team should define policies for code signing certificates, such as which certificate authorities should be used, the encryption strength of keys, etc.

4. Establish global visibility

InfoSec should have visibility into all code signing operations, enterprisewide. To detect risky patterns as well as pass compliance audits, it is important to have visibility into:

  • All code that has been signed
  • What code signing certificates were used, even if when they come from different certificate authorities, including internal CAs
  • Who signed the code, what machine it was signed on, when it was signed, and with which code signing tool
  • Who approved the code signing operation
5. Provide an easy-to-use code signing service

Software teams are driven by release schedules. Anything perceived to interfere with their ability to release code is often discarded for something more convenient. Therefore, code signing should be made available to software teams as an easy-to-use, fast, simple service that readily fits into their established software release process. This often means that it needs to have an API so that it can be automated and accessible through scripting.

The Venafi protection

“The only way to protect themselves and their customers is for organizations to have a clear understanding about when code signing is allowed, where it is being used and insight into the integrations between code signing and development build systems,” says Kevin Bocek. “This comprehensive approach is the only way to substantially reduce risk while delivering the speed and innovation that developers and businesses need today.”

Learn how Venafi CodeSign Protect secures your code signing private keys, automates approval workflows, and maintains an irrefutable record of all code signing activities.

Related posts

Learn more about machine identity management. Explore now.

Like this blog? We think you will love this.
Featured Blog

What Is the Difference Between a Public Key and a Private Key?

Symmetric and asymmetric encryption

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Eddie Glenn
Eddie Glenn

Eddie is the Product Marketing Manager over Code Signing at Venafi. A product marketing professional in SaaS, Enterprise, and Embedded Software, he has a strong technical background and experience with inbound and outbound marketing, business and marketing strategy, and marketing operations.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more